Disclaimer

The content of this blog is my personal opinion only. Although I am an employee - currently of Imagination Technologies's MIPS group, in the past of other companies such as Intellectual Ventures, Intel, AMD, Motorola, and Gould - I reveal this only so that the reader may account for any possible bias I may have towards my employer's products. The statements I make here in no way represent my employer's position, nor am I authorized to speak on behalf of my employer. In fact, this posting may not even represent my personal opinion, since occasionally I play devil's advocate.

See http://docs.google.com/View?id=dcxddbtr_23cg5thdfj for photo credits.

Thursday, February 04, 2016

Fixing Unix/Linux/POSIX Filenames: Control Characters (such as Newline), Leading Dashes, and Other Problems

I believe that all [*] of the problems David Wheeler mentions could be solved if ALL characters in filenames were "escaped" - e.g. by placing them into some unused prefix space of your character encoding - when being processed. ALL of the characters, not just special characters.  Characters that already have such a prefix applied get two prefixes applied, etc.



Ditto for any script injection or SQL injection attacks.



Note: * I usually attempt false modesty, and say things like "all or almost all".   But this obscures the point.  ALL can be.





Fixing Unix/Linux/POSIX Filenames: Control Characters (such as Newline), Leading Dashes, and Other Problems: "Interesting alternative: Auto-convert spaces to unbreakable spaces

"



'via Blog this'

Monday, February 01, 2016

FindBin - perldoc.perl.org

FindBin - perldoc.perl.org: "If there are two modules using FindBin from different directories under the same interpreter, this won't work. Since FindBin uses a BEGIN block, it'll be executed only once, and only the first caller will get it right. This is a problem under mod_perl and other persistent Perl environments, where you shouldn't use this module. Which also means that you should avoid using FindBin in modules that you plan to put on CPAN. "


use Dir::Self instead.



(ISSUE: Dir::Self and symlinks.)


Dir::Self - search.cpan.org

Use Dir::Self to cope with the problem that FindBin should not be called more than once in a program.



FindBin for the location of the executable to find libraries relative to the executable.



use lib "$FindBin::RealBin/lib";



Dir::Self for modules that want to load other modules relative to themselves.



use lib __DIR__;



or



use lib __DIR__ . "/..";



ISSUE: is __DIR__ symlink aware - i.e. is it the equivalent of $FindBin::Bin or $FindBin::RealBin?




Sunday, January 31, 2016

Compile-time vs run-time checks in Perl's Safe

I have long thought that the fundamental problem with computer security is that we don't really have a way of doing a "safe eval".



Or, conversely: lots of code really wants to evaluate code provided by a caller or user.  But doing an arbitrary "eval" is unsafe, for many well-known reasons.  So many, many programs create restricted subset languages, no matter whether interpreted or compiled, and then allow the user to specify that.  But... there are many ways in which these supposedly safe restricted subset languages can be implemented with security holes.  And they are - implemented with security holes - over and over and over again.



Heck, just figuring out how to quote text to be passed between two levels is a copious source of bugs.



I think that, in an ideal world, we might be able to code a "safe eval" once and for all.  One that is designed to test security assertions such as "cannot access filesystem".





Perl's Safe::reval  (restricted eval) is the best attempt at this that I aqm familiar with.  http://perldoc.perl.org/Safe.html



But it has problems.



One of the best known problems is that it can, or at least used to, be able to return a Perl object with a DESTRUCTOR that would execute outside the Safe compartment.  I assume that this has been fixed, since it is no longer mentioned.



Another problem, IMHO, is Safe's dependence on compile-time rather than run-time checking:



Safe - perldoc.perl.org: "Any attempt by the code in STRING to use an operator which is not permitted by the compartment will cause an error (at run-time of the main program but at compile-time for the code in STRING). "
This is a problem if you are trying to safely eval code that depends on a library that generates unsafe code - but where that unsafe code is not actually executed in the code under test.



I was hopeful that Safe made a distinction between permit/deny and trap - with trap being dome at run-time inside the compartment.  Unfortunately, not so - trap is an alias for the compile-time check deny.



Similarly eval'ing within the compartment itself...



---



So close, but not close enough. :-(





===



Of course, even if you have a properly Safe compartment, then it is up to the user, the caller, to pass the correct opcode tags.  And the opcode tags are not fine graqin enough - e.g. you might want an app to be able to access its own files but not those of another app.











'via Blog this'

Compile-time vs run-time checks in Perl's Safe

I have long thought that the fundamental problem with computer security is that we don't really have a way of doing a "safe eval".



Or, conversely: lots of code really wants to evaluate code provided by a caller or user.  But doing an arbitrary "eval" is unsafe, for many well-known reasons.  So many, many programs create restricted subset languages, no matter whether interpreted or compiled, and then allow the user to specify that.  But... there are many ways in which these supposedly safe restricted subset languages can be implemented with security holes.  And they are - implemented with security holes - over and over and over again.



Heck, just figuring out how to quote text to be passed between two levels is a copious source of bugs.



I think that, in an ideal world, we might be able to code a "safe eval" once and for all.  One that is designed to test security assertions such as "cannot access filesystem".





Perl's Safe::reval  (restricted eval) is the best attempt at this that I aqm familiar with.  http://perldoc.perl.org/Safe.html



But it has problems.



One of the best known problems is that it can, or at least used to, be able to return a Perl object with a DESTRUCTOR that would execute outside the Safe compartment.  I assume that this has been fixed, since it is no longer mentioned.



Another problem, IMHO, is Safe's dependence on compile-time rather than run-time checking:



Safe - perldoc.perl.org: "Any attempt by the code in STRING to use an operator which is not permitted by the compartment will cause an error (at run-time of the main program but at compile-time for the code in STRING). "
This is a problem if you are trying to safely eval code that depends on a library that generates unsafe code - but where that unsafe code is not actually executed in the code under test.



I was hopeful that Safe made a distinction between permit/deny and trap - with trap being dome at run-time inside the compartment.  Unfortunately, not so - trap is an alias for the compile-time check deny.



Similarly eval'ing within the compartment itself...



---



So close, but not close enough. :-(





===



Of course, even if you have a properly Safe compartment, then it is up to the user, the caller, to pass the correct opcode tags.  And the opcode tags are not fine graqin enough - e.g. you might want an app to be able to access its own files but not those of another app.











'via Blog this'

Saturday, January 23, 2016

UI design ideas inspired by Giving Blood

BRIEF:

Propose UI feature that allows you to scroll the entire screen around, as if embedded in a 2D plane that is 3X wide and high, to access buttons.


DETAIL:

I just spent a morning giving blood.  Platelets.  3.5 hours at the blood donor center; machine set for 90 minutes; possibly 2.5 hours on the cot.  Paperwork and phlebotomist tubing and other setup.  Plus half an hour of travel time.



I would like give more blood more often.  Not just because it is a good deed - I already give at about the maximum rate - but also because it just plain feels good.  I am considering giving while blood and platelets more often rather than double reds less often, partly to more often get that good feeling of having done good.



I would like to empty my Inbox more often.



Synergy?



I have never been able to use a laptop or tablet to read email while donating blood.   But it seems like it should be possible to read email on a cellphone while donating blood, although past attempts have not succeeded well.

I conjecture that the past attempts failed because of lousy cellphone email client design.  I am hopeful that the new swipe-oriented clients would allow me to read email on my cellphone with one free hand and arm, while donating blood with a needle stuck in the other arm.

It is hard to do much with your hands if you are needles in both arms, making reading, difficult, whether book or cellphone. Whole blood donations are single needle; all of my recent double red donations have been single needle; my platelet donation today was double needle, although single needle apharesis is an option for platelet donations.  I think that I am going to ask o single needle donations in the future.

But, the experience of trying to read email on my cellphone with apharesis needles in both arms has given me some UI ideas. Recorded here.

I was able to hold my phone in the hand of the arm into which blood was being returned.   There was too much tubing to try to hold my phone in the hand of the arm from which blood was being taken.  Bear that in mind if you are strongly right or left handed.

Using the "Zero" email app to go through the Unread email in my Inbox was reasonably easy to do, in this very restricted position.  Swipe up to move to the next message, left/right to go in or out.  Similarly, after I ran out of unread email to read, using the Flipboard or New York Times or Oregonian news apps was easy enough - easy swipes or taps that did not have to be directed at any particular button.

But, accessing buttons, doing anything other than swiping, was a real pain.  In particular, the X that closes many screens, from the upper right hand corner, was quite hard to reach.  One of the phlebotomists chastised me for moving too much, causing the apharesis blood return to block.

This difficulty of accessing buttons was what caused me to

a) Only be able to scan my unread Gmail in Zero.  I could swipe into and out of a view that allowed me to read most of any email.  But clicking on links (oh, no, I clicked on links in email!!!!! Security alert!!!!! But at least it was email that I expected, not unsolicited, although I must increase my phishing paranoia) brought me to a web browser that was hard to navigate by swipes.

b) It was easy to tap the Zero star that left an email in my Inbox for further handling.  Ditto swipe to dismiss and archive.  But filing to a folder or project was out of the question.

c) Zero's Inbox view, list oriented, with many different options - perhaps may have been useful, but I could not manage to use it.

d) As I have mentioned elsewhere, Zero does not work for my company email, which is ActiveSync only to cellphones, forbidding IMAP except on laptops. Zero does not yet support ActiveSync, so I cannot use it for work.

       Nor were any of the other email clients usable in this "My arms are pinned down, and I can only swipe with my thumbs" usage model.

e) For the first time I actually made good use of the Apple accessibility feature that brings the top line of the screen with the X icon down to halfway.   But it was still uncomfortable.

f) I was able to accurately hit buttons like the start button.  So it is the reach, not the buttons, that is the problem.

g) I found myself wanting to be able to scroll the entire screen around to be able to reach the buttons, much as one moves around a map.  As if the screen was embedded in a blank 2D plane. I imagined it as a firm press or other gesture to engage the "move the whole screen" around" mode, swipes and scrolls to move the button at the far distant UR corner to under my left thumb.  With elasticity to move the screen back.

I.e. I think that this "scroll the screen" approach might go a long way to allowing the traditional icons and button decorations for user interface to be useful in a one handed environment.

I can imagine "separability": the video or webpage or email you are looking at might stay fixed on the screen, while a mask of the buttons might move around.   Or move all together.

h) I plan to ask for a single needle the next tie I give platelets, so I may no longer care.   But:

h.1) I think that I *will* care - because I think this swiping is easier to use than the traditional UI.

h.2) I think this may be especially relevant to users who do not have the option - to physically disabled users, who may have to ability to move their thumb, but not their hand or wrist or arm.    Certainly to people in a cast.

I wonder if deliberately trying to test UIs by deliberately restricting motion, much as I did by accident when trying to read email while donating platelets, might be a good way of encouraging better UI design.  More accessible not just for the disabled, nor just for the increasing number of older folks, but also for the entire bleeding market.

Disclaimers:

First, I am not a doctor, nor do I have any special knowledge about the Red Cross policies for blood donation.   I am just a user, a blood donor, who would like optimize his blood donations, both for maximum good and personal convenience.

If this information is already available from the Red Cross, then I wish it had been concisely presented on the website.  If it is already presented, then, damn, *I* was not able to find it!

Second, for any insurance company that sees this post and considers it evidence of a preexisting condition:  Tain't so.   I am not giving platelets because I, or a member of my family, is expected to need them.   I am just giving blood because I think it is a good thing.

Optimizing Blood Donation

Donating blood makes me feel good.  Today I gave platelets. Before that, my last donation was double reds, and so on.

I would like to "maximize" the good that my blood donations provide. 
BOTTOM LINE: I am going to try switching from a 2XR/112 schedule to a W/56+P/~28 schedule: i.e. I am going to try to donate whole blood at the maximum frequency, plus platelets in-between circa once a month, or even one a fortnight, rather than double reds at the maximum frequency. I think this maximizes the good done by my donation, and may even give me the selfish benefit of helping me catch up on email while donating. Single needle donation, so I have a hand free to read email on my cellphone.

        Table for Blood Donation Scheduling Dependencies

This is my current best understanding:
FromTo
Whole BloodDouble RedsPlatelets
Whole Blood56567
Double Reds112112 (3x/yr)112
Platelets777 (24x/yr)
~14 days average

I was having trouble getting a straight story on how often I could donate blood.  I know the standard intervals: once every 56 days for whole blood, once every 112 days for double red, once every 7 days for platelets. But even these have fine print: e.g. double reds no more than 3 times a year (messing up my plans to make a blood donation on January 1st, which I thought would make a nice start to the new year); e.g. platelets' minimal interval may be 7 days, but you are only allowed to give platelets 24 times a year, averaging slightly longer than once every 2 weeks).

And I was hearing many confusing and contradictory things about interleaving different types of donations.   E.g. I asked the phlebotomists, a few blood drives ago, when I could next give whole blood after donating platelets, and their answer was "56 days".  

So, at recent blood donations I asked more detailed questions, some of which were "escalated"; as well as doing some web.research.  

How "Good" is Whole Blood vs Double Red Blood Cell Donation?

The phrase "Double Red Blood Cells" tends to imply that a 2RBC donation provides 2X the red blood cells that a whole blood donation provides.

At least two phlebotomists were under the impression that a 2RBC donation provides more like 3X-4X the RBC than a WB donation.  However, both of these went and did some more checking, and the answer seems to be no.  2

WB: 470 ml collected (circa 1 pint).

  • Typical hematocrit value is 45% for men, 40% for women. Hematocrot = packed cell volume = fraction of volume of blood that is red blood cells.
  • Therefore, in 1 pint of whole blood, the volume of red blood cells os approximately 218ml (men), or 190ml (women).
2RBC: 
  • The reservoir bag is larger than a pint - IIRC it is circa 620ml
  • But apparently there are other fluids, like saline and anticoagulant in the bag.
  • The reported volume of red blood cells collected was 360ml, in at least one instance.  (I may start tracking this from donation to donation.)

If these values are correct - 218ml-RBC/WB-donation for men, 190ml-RBC/WB-donation, vs. 360ml-RBC/2RBC-donation (male?), them it would appear that 2RBCs do collect only abut 2X the red blood cells, per donation, or about the same amount over a year, over a year than whole blood donations provide, given the 2X-longer interval. In fact, slightly less - perhaps as much as 17% less.

But:

  • PRO-2RBC: bigger batch of cells from one donor => less immune system challenge for recipient.
  • PRO-2RBC: double reds probably has lower processing costs than whole blood donations.
  • CON-2RBC: whole blood donations also contribute platelets and plasma.
It seems to me that whole blood donations may do slightly more "good" than 2RBC donations, if assiduously giving at the maximum rate.  To which the benefits of extra interleaved platelet donations could be added.



How Often Can You Interleave Different Types of Blood Donations?

Normally (which we will stipulate for all of these statements), you can give platelets 7 days after a whole blood donation.

Normally you can whole blood 7 days after a platelet donation.   However, platelet donations are aphaeresis, drawing blood, separating the platelets, and returning the red blood cells and most of the plasma.  Sometimes the return process cannot be completed, in which case the interval will be longer.

Although one might expect to be able to donate platelets 7 days after a double red donation, or at least without having to wait the full 112 days, this is not done. Apparently, although the double red donation returns most plasma and platelets, there may be enough "extra-corporeal blood loss" in the machine that the Oregon Red Cross does not permit this: apparently they do require the donor to wait the full 128 days until the next donation of any form.

GLEW HYPOTHESIS: to me, this sounds like "these machines are relatively new, and we are still evolving policies and performing studies as to how best to use them".  I would not be at all surprised if this policy is different, possibly with different machines, or as studies are made.

Donation Schedules

Discussion

First, donating on any regular schedule is better than not donating:

W/56: Every 56 days: donate whole blood

2XR/112: Every 112 days: donate double reds (but no more than thrice a year).

P/14: Every 7-14 days, donate platelets. (And plasma, if your local Red Cross is set up for donations of plasma and platelets together.)

Of course, donating at ay frequency, not necessarily the maximum, is better than not donating.

But it occurred to me that a schedule such as the following might provide greater good:

W/56 + P/14:  Every 56 days, donate whole blood; every 14 days or so, donate platelets.

I wondered if it was possible to do 2XR/112+P/14, i.e. give double reds at the highest frequency, and donate platelets "in between".  However, it seems that the Red Cross does not allow this, apparently because of "extracorporeal loss".

So it seems that we only need to compare

W/56
W/56+P/14
2XR/112

W/56+P/14 sees to be unambiguously better than W/56, so if you or I have time to give platelets "in-between" our whole blood donations, go for it.

On the face of things, both W/56 by itself, and W/56+P/14 seem to be "better value" than 2XR/112, since W/56 seems to provide the same number of whole blood cells as 2XR/112, plus some platelets, plus plasma.

But: there is a hard to quantify value to having twice the number of red blood cells drawn from the same donor: less chance of bad reactions, etc.  I don't know how to quantify the value, although I would hope that some public health statistician has done so.  (If I knew where to find the necessary stats, I could do the analysis.)   (The shelf life of red blood cells is apparently 42 days, so there is no possibility of building up a "stock" of blood from the same donor.)

Also, "Double red cell donations from Type O donors and donors with Rh-negative blood types play a very important role in maintaining blood supply levels.", since O- is the so-called universal donor of red blood cells, while O+ can be given Rh+ recipients, around 80% of the population.  (I.e. O- is the universal donor, and O+ is the almost universal donor).

(Conversely, AB is the universal plasma donor.)

So choosing between W/56+P/14 and 2XR/112 involves:

For the universal plasmas donors of type AB, donating plasma and platelets seems to be a win, whether in schedules W/56 or W/56+P/14, versus donating only red blood cells using the 2XR/112 schedule.

For the universal O- and nearly universal O+ red blood cell donors, donating plasma and platelets is less crucial, and both W/56 and 2XR/112 donate approximately the same amount of red blood cells.

Nevertheless, I should hope that there is still some benefit for an O+/O- donor to donate platelets and plasma as well as red blood cells, so W/56+P/14 would seem to be "for the greater good".  Again, except for the benefit of having bigger batches from the same donor.

Convenience

The "benefit" of W/56+P/14 must be weighed against the convenience, and the probability of compliance.

It is much easier to commit to giving double reds three times a year, than it is to commit to giving whole blood every two months.

Time

Whole blood: the actual donation takes 8-10 minutes, but the Red Cross says to allow 1 hour for the entire process.  To this you have to add travel time.

Double Reds: Circa 1.5 hours for the entire process.  Plus travel time - but since you can only give half as often, the total time cost over a year is halved.  Double Reds may be the best way to give for someone who has little free time, even for good deeds like giving blood.

Platelets: the Red Cross' web pages say 1.5 to 2.5 hours.  For me, today, it was actually 3.5 hours.  The actual donation was 90 minutes.   And to this you have to add travel time.

Multitasking:

Note: phlebotomists are past masters at mutitasking.  I am only talking about multitasking for the blood donors: trying to get work done, e.g. process email, while giving blood.

When I was in grad school I used to be able to read or study while giving a single needle apharesis donation.  It is hard to do much with your hands if you are needles in both arms, making reading, difficult, whether book or cellphone. Whole blood donations are single needle; all of my recent double red donations have been single needle; my platelet donation today was double needle, although single needle apharesis is an option for platelet donations.

Double needle / two arm platelet donations are a bit faster (don't have to reverse the flow).   And apparently double needle platelet donations are apparently a bit higher quality than single needle platelet donations.  Hearsay; I have not researched; but this sounds plausible, I can imagine several mechanisms that might be responsible.

Here, I think that I am going to be selfish:  if I can get some useful work done in the circa 90 minutes I am donating platelets (or in the much shorter times for whole blood and double red donations), I am much more likely to actually donate. Heck, if I could clear my Inbox once a week while donating blood, I would!  But unfortunately the allowed frequencies do not support that.

I am leaning towards single needle donations for platelets in the future, just to try to get this selfish benefit.

Although perhaps it would be good for my soul to sit quietly and meditate while giving blood. Plus it is fun to chat with the phlebotomists and volunteers.

Also:  I was amazed to see that the Oregon Red Cross in Portland has a large selection of movies that you can watch while donating platelets.   Large screens in front of every cot!!!  Things have certainly changed since grad school!!! There are lots of movies that I want to watch; and I am sure that the Red Cross would allow you or me to bring in our own DVDs, of movies, or classes like The_Great_Courses.

(I wonder if The Teaching Company might consider making their DVD classes available to the Red Cross for viewing by blood donors?  Good cause, possibly a good tax deduction, good advertising, and possibly sticky: watch the first lecture in a series, buy the rest.)


Disclaimers:

First, I am not a doctor, nor do I have any special knowledge about the Red Cross policies fir blood donation.   I am just a user, a blood donor, who would like optimize his blood donations, both for maximum good and personal convenience.

If this information is already available from the Red Cross, then I wish it had been concisely presented on the website.  If it is already presented, then, damn, *I* was not able to find it!

Second, for any insurance company that sees this post and considers it evidence of a preexisting condition:  Tain't so.   I am not giving platelets because I, or a member of my family, is expected to need them.   I am just giving blood because I think it is a good thing.